npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@hlos/staamp-mcp

v0.1.1

Published

STAAMP (Secure Trust Agent Access Management Protocol) MCP server - enables AI assistants to manage secrets without ever receiving credentials

Downloads

291

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ars923ars923

Keywords

mcpmodel-context-protocolstaamphlossecretscredentialsai-agentsclaudecursoranthropic

Readme

@hlos/staamp-mcp

AI agents get capabilities, not credentials.

STAAMP MCP Server enables AI assistants (Claude, Cursor, etc.) to manage secrets and authenticate to services without ever receiving your credentials.

Why HLOS?

| Traditional Approach | HLOS STAAMP | |---------------------|-------------| | Agent receives API keys/tokens | Agent NEVER receives credentials | | Leaked prompts = leaked secrets | Nothing to leak | | Trust the agent with credentials | Trust only HLOS |

The most secure credential is one the AI never touches.

Security Model

| Risk | How STAAMP Protects | |------|---------------------| | Prompt injection leaks secrets | Agent never has secrets to leak | | Runaway agent spending | Budget envelopes with hard limits | | Malicious action execution | Financial gating — no balance = no action | | Screen capture exposure | Screen-invisible injection | | Memory forensics | Token expiry + disposal (see note below) |

Security Guarantee

HLOS backs its security with up to $50,000 coverage for credential breaches on paid plans. Learn more

What is STAAMP?

Secure Trust Agent Access Management Protocol — a credential isolation protocol where:

  • Agents NEVER receive credentials — Unlike OAuth, your passwords and tokens are never exposed to the AI
  • Screen-invisible injection — Credentials injected directly into browsers, invisible to screen capture
  • Financial gating — Every action checks wallet balance and budget limits
  • Token lifecycle — Access tokens have automatic expiry and are cleared on disposal

Memory Handling Note

JavaScript cannot guarantee true memory zeroing. The MCP client:

  • Token Expiry: Access tokens automatically expire and are cleared after use
  • Dispose Method: Calling dispose() dereferences sensitive data to aid garbage collection
  • Limitation: Memory may persist until GC runs and could theoretically be extracted via memory dump

For highest-security deployments requiring guaranteed memory clearing, consider native Node.js addons with secure memory primitives or HSMs for key material.

Quick Start

Prerequisites

  • Node.js >= 18.0.0
  • An HLOS account (hlos.ai)

Installation

npx @hlos/staamp-mcp

Get Your Access Token

  1. Go to hlos.ai/settings/api
  2. Generate a new Access Token
  3. Add to your IDE config below

Claude Desktop

Add to claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "hlos": {
      "command": "npx",
      "args": ["-y", "@hlos/staamp-mcp"],
      "env": {
        "HLOS_ACCESS_TOKEN": "your_access_token_here"
      }
    }
  }
}

Cursor

Add to your Cursor MCP settings:

{
  "hlos": {
    "command": "npx",
    "args": ["-y", "@hlos/staamp-mcp"],
    "env": {
      "HLOS_ACCESS_TOKEN": "your_access_token_here"
    }
  }
}

Available Tools

Secrets Management

| Tool | Description | |------|-------------| | list_secrets | List secrets with metadata | | check_secret_exists | Verify secret existence | | get_secret_info | Get secret details (never the value) | | suggest_missing_secrets | Analyze code for missing secrets | | create_secret | Request secret creation (requires approval) | | sync_to_platform | Sync to Vercel, GitHub, Supabase | | check_health | Secret health dashboard |

Agent Authentication (STAAMP)

| Tool | Description | |------|-------------| | request_session | Request authenticated session injection | | list_sessions | List captured sessions (no credentials exposed) | | check_session_status | Check if session is valid | | get_totp_code | Generate 2FA codes without exposing secret |

Infrastructure & Spending

| Tool | Description | |------|-------------| | request_capability | Provision SMS, databases, APIs via spending gate | | check_wallet | Check wallet balance and limits | | list_capabilities | List available infrastructure | | list_envelopes | View budget envelopes for agents |

How STAAMP Differs from OAuth

Traditional OAuth/Tokens        STAAMP/HLOS
──────────────────────         ─────────────────────────
Agent receives token      →    Agent NEVER gets credentials
Agent stores/uses token   →    HLOS injects directly to service
Token in context window   →    Nothing in context to leak
Token can be extracted    →    Nothing to extract
No spending controls      →    Budget envelopes + financial gating

Trust & Verification

Open Source: This MCP server is open source. Audit the code.

Who We Are: HLOS is built by the team behind SevenRooms ($1.2B exit) and Gilt Groupe ($250M exit). About us

Patents: 3 patents filed, 37 claims protecting the STAAMP architecture.

Security Guarantee: Up to $50K coverage for breaches. Details

Getting Started Path

We recommend a gradual trust ladder:

  1. Development — Start with dev/test secrets
  2. Staging — Graduate to internal tools
  3. Production — Full trust when you're ready

No pressure. Security is about comfort, not speed.

Links

License

MIT — See LICENSE

Built with STAAMP by HLOS — The credential layer for AI agents.